Event ID 578 logged 4 times every second

From: Emdee (michaelDONTSPAMorJUNKme@ivision.co.uk)
Date: 03/21/03

• Next message: Lois: "Power Policy Manager"
• Previous message: Kirce Stojanovski: "Question RE: Security Patch 814078"
• Next in thread: Jim Isaacs: "Re: Event ID 578 logged 4 times every second"
• Reply: Jim Isaacs: "Re: Event ID 578 logged 4 times every second"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Emdee" <michaelDONTSPAMorJUNKme@ivision.co.uk>
Date: Fri, 21 Mar 2003 15:41:08 -0000

A web server in a small domain of Web servers and Clustered DB server has an
security event log that is continually being filled with the following
(anonymized of course):

(most recent event first)
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 21/03/2003
Time: 15:37:43
User: PROD\tarsius19
Computer: APP1
Description:
Privileged object operation:
  Object Server: EventLog
  Object Handle: 0
  Process ID: 280
  Primary User Name: APP1$
  Primary Domain: PROD
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: tarsius19
  Client Domain: PROD
  Client Logon ID: (0x1,0x8AFEB6B5)
  Privileges: SeSecurityPrivilege

====================================================

Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 21/03/2003
Time: 15:37:39
User: APP1\tarsius19
Computer: APP1
Description:
Privileged object operation:
  Object Server: SC Manager
  Object Handle: 4136410348
  Process ID: 280
  Primary User Name: APP1$
  Primary Domain: PROD
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: tarsius19
  Client Domain: APP1
  Client Logon ID: (0x1,0x85B572A2)
  Privileges: SeTakeOwnershipPrivilege

===================================================

Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 21/03/2003
Time: 15:37:39
User: APP1\tarsius19
Computer: APP1
Description:
Privileged object operation:
  Object Server: SC Manager
  Object Handle: 4136410348
  Process ID: 280
  Primary User Name: APP1$
  Primary Domain: PROD
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: tarsius19
  Client Domain: APP1
  Client Logon ID: (0x1,0x85B572A2)
  Privileges: SeTakeOwnershipPrivilege

=================================================

Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 21/03/2003
Time: 15:37:39
User: APP1\tarsius19
Computer: APP1
Description:
Privileged object operation:
  Object Server: Security
  Object Handle: 864
  Process ID: 948
  Primary User Name: APP1$
  Primary Domain: PROD
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: tarsius19
  Client Domain: APP1
  Client Logon ID: (0x1,0x85B572A2)
  Privileges: SeTakeOwnershipPrivilege

=================================================

Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 21/03/2003
Time: 15:37:39
User: APP1\tarsius19
Computer: APP1
Description:
Privileged object operation:
  Object Server: Security
  Object Handle: 864
  Process ID: 4116311068
  Primary User Name: APP1$
  Primary Domain: PROD
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: tarsius19
  Client Domain: APP1
  Client Logon ID: (0x1,0x85B572A2)
  Privileges: SeTakeOwnershipPrivilege

================================================

Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 21/03/2003
Time: 15:37:34
User: APP1\tarsius19
Computer: APP1
Description:
Privileged object operation:
  Object Server: SC Manager
  Object Handle: 4136410348
  Process ID: 280
  Primary User Name: APP1$
  Primary Domain: PROD
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: tarsius19
  Client Domain: APP1
  Client Logon ID: (0x1,0x85B572A2)
  Privileges: SeTakeOwnershipPrivilege

This continues over and over and the event id 578 occur 4 times every
second.

There are no signs of intrusion and I can find nothing useful on the net at
all.
Help would be gratefully recieved,
Many thanks
Emdee

• Next message: Lois: "Power Policy Manager"
• Previous message: Kirce Stojanovski: "Question RE: Security Patch 814078"
• Next in thread: Jim Isaacs: "Re: Event ID 578 logged 4 times every second"
• Reply: Jim Isaacs: "Re: Event ID 578 logged 4 times every second"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Event ID 577 & Failed Install of Microsoft Firewall Client ... NT Local Security Authority / Authentication Service ... Primary Domain: <domain or workgroup name> ... Client Domain: ... privilege to perform a privileged system service. ... (microsoft.public.security) Re: Event ID 577 & Failed Install of Microsoft Firewall Client ... NT Local Security Authority / Authentication Service ... Primary Domain: <domain or workgroup name> ... Client Domain: ... privilege to perform a privileged system service. ... (microsoft.public.win2000.security) security log in event viewer is constantly growing ... My security log in event viewer is constantly growing. ... Event Category: Privilege Use ... Primary Logon ID: ... Client User Name: - ... (microsoft.public.windowsxp.security_admin) VB App cant run under normal user ... Event Source: Security ... Event Category: Privilege Use ... Primary Logon ID: ... Client User Name: - ... (microsoft.public.sqlserver.security) Re: Access is denied ... Primary User Name: Administrator ... Primary Domain: MICRON ... Client User Name: - ... > Event Category: Privilege Use ... (microsoft.public.windowsxp.general)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint